Security Management Strategies for the CIO
Email Alerts
-
Web application firewalls: A technical guide
Web application firewalls are becoming critical data protection and compliance tools that any security decision maker must understand. SearchSecurity.com presents a comprehensive guide to Web application firewalls in which experts examine evaluation ... E-Book
-
Negative exposure: Web scanners reveal unknown holes
Enterprises increasingly need reliable technology to scan Web applications for vulnerabilities. But can organizations count on today's technology? This issue examines 2003's top Web application scanning products. Also in this issue: tools that make s... E-Zine
-
Web Application Security
This series looks at Web application threats, secure software development practices and the challenge of finding and fixing Web application vulnerabilities. partOfGuideSeries
-
Readers' Choice Awards 2011
Readers vote on the best Web security products, including software and hardware, hosted Web services for inbound and outbound content filtering for malware activity detection and prevention. Guide
-
Information security book excerpts and reviews
Visit the Information Security Bookshelf for book reviews and free chapter downloads. Information Security Book
-
Web application attacks security guide: Preventing attacks and flaws
This Web application attacks guide explains how Web application attacks occur, identifies Web application attack types, and provides Web application security tools and tactics to protect against them. Learning Guide
-
Locking down your Web applications
In this primer, learn how dynamically created Web server content can present a risk to the server itself, and how good processes can improve the Web server security life cycle. Security School
-
Quiz: Could you detect an application attack?
Take this five-question quiz to test your application security awareness, review common application attacks and learn how to improve application layer logging to detect and protect against these attacks. Security Quiz
-
State-based attacks: Session management
In this excerpt from Chapter 4 of "How to Break Web Software: Functional and Security Testing of Web Applications and Web Services," authors Mike Andrews and James A. Whittaker identify session management techniques Web developers should use to prote... Book Chapter
-
Content Spoofing
This excerpt from "Preventing Web Attacks with Apache" explains how content spoofing attacks exploit vulnerabilities and how to use Apache to protect against them. Book Chapter
-
Quiz: Web application threats and vulnerabilities
This quiz will help you determine how knowledgeable you are about securing your Web apps and whether you need to hone your Web security skills. Security Quiz
-
Gaining access using application and operating system attacks
In this excerpt from Chapter 7 of Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses, Second Edition, authors Ed Skoudis and Tom Liston explain how security professionals can use exploit frameworks to their advanta... Book Chapter
- See more Essential Knowledge on Web Application Security
-
Little being done to prevent Web application threats, analysts say
Vulnerabilities in HTML 5 make it an emerging threat; however, SQL injection and XSS remain among the top attacks. News | 19 Sep 2012
-
Java sandboxing could thwart attacks, but design may be impossible
Basic Java sandboxing has been around since 1995, but flaws in the Java virtual machine are highly targeted. Experts are calling on Oracle to do more. News | 29 Aug 2012
-
Adobe patches Flash Player vulnerability being actively targeted
Security researchers have detected attacks targeting users of Internet Explorer with a Flash file embedded in a Microsoft Word document. News | 15 Aug 2012
-
Adobe Flash Player security update fixes flaws, issues Firefox shield
Adobe repaired seven dangerous vulnerabilities in its latest Flash Player update and added sandboxing protection for Firefox and Mac users. News | 08 Jun 2012
-
HP study finds widespread custom Web application flaws
A review of hundreds of unique custom Web applications found more than half are vulnerable to cross-site scripting and more than 86% contain injection flaws. News | 18 Apr 2012
-
Time to ban dangerous apps? Exploring third-party app security
Column: Third-party applications are notoriously hard to patch and often easy to exploit. Is it time to ban applications, or can they be secured with a new approach? News | 27 Jan 2012
-
Adobe repairs critical Reader, Acrobat flaws, adds JavaScript control
The January 2012 update includes repairs to Adobe Reader X and a new feature giving administrators the ability to whitelist JavaScript execution. News | 10 Jan 2012
-
Twitter acquires WhisperSystems mobile security technology
Twitter acquired WhisperSystems, a firm that makes mobile encryption and firewall technology for Android devices. News | 28 Nov 2011
-
Web application risks exacerbated by social media ties, says ISACA
Asynchronous JavaScript Technology, XML, Flash and HTML 5 enable a rich Web experience, but also give attackers an alarming number of ways to penetrate corporate networks. News | 26 Oct 2011
-
New Java 7 features improve security
New features in Java 7 aim at bolstering security by switching off weaker encryption schemes. News | 06 Sep 2011
- See more News on Web Application Security
-
Time to ban dangerous apps? Exploring third-party app security
Column: Third-party applications are hard to patch and easy to exploit. Is it time to ban some apps, or to take a new approach? Opinion
-
Five common Web application vulnerabilities and how to avoid them
Expert Michael Cobb details the five most common Web application vulnerabilities and provides methods to help enterprises to secure them. Tip
-
Remediation planning for Ruby on Rails security vulnerabilities
The recent Ruby on Rails security vulnerabilities can be patched. Expert Michael Cobb discusses the fallout and offers help with remediation planning. Tip
-
How to negate business logic attack risk: Improve security in the SDLC
Expert Nick Lewis details the threat posed by business logic attacks and how stressing the importance of security in the SDLC can reduce that threat. Tip
-
SSL certificate management: Avoiding common mistakes
Errors are bound to occur when SSL certificate management is handled manually. Learn how to avoid these common mistakes. Tip
-
How to secure Java amid growing Java security vulnerabilities
Constant Java security vulnerabilities plague Oracle and enterprises alike. Expert Nick Lewis offers tips on how to use Java and the JRE securely. Tip
-
Web application firewalls: Patching, SDLC key for security, compliance
Mike Chapple on improving defense-in-depth security with Web application firewalls (WAFs) and a strong software development lifecycle (SDLC) process. Tip
-
HTML5 security: Will HTML5 replace Flash and increase Web security?
Will HTML5 replace Flash? Expert Michael Cobb discusses whether HTML5 security is better than Flash, and why HTML5 traffic can be harder to secure. Tip
-
Enabling secure Web development means treating vulnerabilities as bugs
Gil Danieli explains why secure Web development depends on treating vulnerabilities like any other software bugs, and how to get Web developers to buy in. Tip
-
How to review your Web application security assessment tools, strategy
Expert Cory Scott offers pointers for using Web application security assessment tools and developing an application security assessment strategy. Tip
-
Addressing the dangers of JavaScript in the enterprise
The dangers of JavaScript are no secret to security professionals. Expert Michael Cobb discusses enterprise JavaScript defense technology and tactics. Tip
- See more Tips on Web Application Security
-
Identifying and locking down known Java security vulnerabilities
Expert Michael Cobb discusses why known Java security vulnerabilities are on so many endpoints and how to contain them -- without updating Java. Answer
-
Using free Web application security scanning tools to secure Web apps
Expert Michael Cobb explains how free Web application security scanning tools can help secure Web apps for budget-strapped organizations. Answer
-
Web application security testing: Is a pen test or code review better?
For Web application security testing, if cash is tight, should a penetration test top an application code review? Michael Cobb explains his choice. Answer
-
Consider disabling Java as malware targets JRE vulnerabilities
Expert Nick Lewis advises enterprises to disable Java to defend against cross-platform malware that targets JRE vulnerabilities. Answer
-
Revisiting JRE security policy amid new ways to exploit Java
Expert Nick Lewis analyzes the increasing ability by hackers to exploit Java and the need to perform a JRE security policy analysis in response. Answer
-
Inside the W3C Web security standards to prevent cross-site scripting
Expert Mike Cobb details the W3C Web security standards designed to foster a content security policy and help prevent cross-site scripting attacks. Answer
-
Improving Web application security with automated attack toolkits
It may seem counterintuitive, but you can safely use automated attack toolkits to improve your Web application security. Nick Lewis explains. Answer
-
How to secure websites using the HSTS protocol
Learn how to use HTTP Strict Transport Security (HSTS) to secure websites and how HSTS prevents man-in-the-middle attacks. Answer
-
Open source testing tools for Web applications: Website vulnerability scanner and recon tools
Google’s open source testing tools for Web applications can save organizations money and improve the security of Web apps. Answer
-
Insufficient authorization: Hardening Web application authorization
Insufficient authorization errors can lead to Web app compromises and data loss. Learn how to fix these authorization errors. Answer
- See more Expert Advice on Web Application Security
-
distributed denial-of-service attack (DDoS)
On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. Definition
-
Apache HTTP server project
The Apache HTTP server project is a collaborative open source Web server development initiative. The project is spearheaded by the Apache Server Foundation. Definition
-
Web application (Web app)
A Web application (Web app) is an application program that is stored on a remote server and delivered over the Internet through a browser interface. Definition
-
pen test (penetration testing)
Penetration testing (also called pen testing) is a tool for testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. (Continued) Definition
-
National Computer Security Center (NCSC)
The National Computer Security Center (NCSC) is a U.S. government organization within the National Security Agency (NSA) that evaluates computing equipment for high security applications to ensure that facilities processing classified or other sensit... Definition
-
JavaScript hijacking
JavaScript hijacking is a technique that an attacker can use to read sensitive data from a vulnerable Web application, particularly one using Ajax (Asynchronous JavaScript and XML)... (Continued) Definition
-
buffer overflow
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Definition
-
cookie poisoning
On the Web, cookie poisoning is the modification of a cookie (personal information in a Web user's computer) by an attacker to gain unauthorized information about the user for purposes such as identity theft. Definition
-
cache cramming
Cache cramming is a method of tricking a computer into running Java code it would not ordinarily run. Definition
-
LUHN formula (modulus 10)
The LUHN formula, also called modulus 10, is a simple algorithm used to validate the number on a credit card. Definition
- See more Definitions on Web Application Security
-
An introduction to Web application threat modeling
Video: VerSprite's Tony UcedaVelez explains how Web application threat modeling assesses Web risk and how it differs from penetration testing. Video
-
Zed Attack Proxy tutorial: Uncover Web app vulnerabilities using ZAP
Video: Keith Barker of CBT Nuggets offers a OWASP Zed Attack Proxy tutorial. Learn how to find and nullify Web application vulnerabilities using ZAP. Screencast
-
Holistic security for database-centric applications
In this exclusive video presentation, Nemertes Research Senior Vice President and Founding Partner Andreas Antonopoulos provides an executive overview of the security issues of securing database-centric applications and the key tactics essential to s... Video
-
Screencast: Burp Suite tutorial highlights Burp Proxy, other key tools
In this screencast, Mike McLaughlin offers a short Burp Suite tutorial, including the key features of this powerful pen testing tool: Burp Proxy. Video
-
Countdown: Top 5 must-haves for your SDL security strategy
In this podcast, expert Cory Scott details the five most important elements to ensure enterprise SDL security for Web applications. Podcast
-
Web application attacks: Types and countermeasures
Video: Matasano Security's Cory Scott covers Web application attack types and how they target different layers of an application. Video
-
Mike Rothman on handling Web application security vulnerabilities
If you have Web apps, odds are you have Web app vulnerabilities. In this interview, Mike Rothman discusses what to do about them. Video
-
Gartner’s Ramon Krikken on Web application security scanners
In this video, learn how to get the most out of Web application security scanners, and the four key elements for a successful implementation. Video
-
Noted cryptographer on SSL, encryption and cloud computing
Cryptographer, Taher Elgamal of Axway Inc., the inventor and initial driving force behind SSL, explains how applications may be better adapted to defend against attacks. Video
-
WASC Web Honeypot Project enters next phase
Ryan Barnett of Breach Security and leader of the WASC Honeypot Project talks about phase three of the project, which uses an open proxy server to analyze Web attack data. Video
- See more Multimedia on Web Application Security
-
Identifying and locking down known Java security vulnerabilities
Expert Michael Cobb discusses why known Java security vulnerabilities are on so many endpoints and how to contain them -- without updating Java. Answer
-
Using free Web application security scanning tools to secure Web apps
Expert Michael Cobb explains how free Web application security scanning tools can help secure Web apps for budget-strapped organizations. Answer
-
An introduction to Web application threat modeling
Video: VerSprite's Tony UcedaVelez explains how Web application threat modeling assesses Web risk and how it differs from penetration testing. Video
-
Zed Attack Proxy tutorial: Uncover Web app vulnerabilities using ZAP
Video: Keith Barker of CBT Nuggets offers a OWASP Zed Attack Proxy tutorial. Learn how to find and nullify Web application vulnerabilities using ZAP. Screencast
-
distributed denial-of-service attack (DDoS)
On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. Definition
-
Five common Web application vulnerabilities and how to avoid them
Expert Michael Cobb details the five most common Web application vulnerabilities and provides methods to help enterprises to secure them. Tip
-
Web application security testing: Is a pen test or code review better?
For Web application security testing, if cash is tight, should a penetration test top an application code review? Michael Cobb explains his choice. Answer
-
Remediation planning for Ruby on Rails security vulnerabilities
The recent Ruby on Rails security vulnerabilities can be patched. Expert Michael Cobb discusses the fallout and offers help with remediation planning. Tip
-
How to negate business logic attack risk: Improve security in the SDLC
Expert Nick Lewis details the threat posed by business logic attacks and how stressing the importance of security in the SDLC can reduce that threat. Tip
-
SSL certificate management: Avoiding common mistakes
Errors are bound to occur when SSL certificate management is handled manually. Learn how to avoid these common mistakes. Tip
- See more All on Web Application Security
About Web Application Security
Browse this section for the latest news, expert advice and learning tools on Web application security, including common threats and methods for protecting against them, Web application testing, assessment and firewalls including how to deploy a firewall.